-1

I'm new to PHP and i'm about to finish up a project, however i need to protect my database from SQL injections. Do i need to strip slashes on every sql query i do, or do i only need to do it for sql INSERT/UPDATE statements and not SELECT statements? Or is it best practice to do it for everything?

I'M NOT ASKING HOW TO PREVENT SQL INJECTION, I'M ASKING WHEN TO USE IT.

Staleyr
  • 643
  • 4
  • 8
  • 12
  • 3
    stripslashes/addslashes are the PHP equivalent of using used soggy toilet paper to clean up after a hurricane. They're crap, they're useless, and they'll give you an utterly false sense of security. The PHP maintainers should have deprecated those functions at the same time they deprecated magic_quotes and the rest of the outright idiocy in the language. – Marc B Apr 03 '13 at 18:48
  • i know how to prevent it, i'm asking when should i prevent it? – Staleyr Apr 03 '13 at 18:50
  • 2
    when should you wear a seatbelt? **ALWAYS**. If you're asking when to prevent it, then you don't really understand the problem. – Marc B Apr 03 '13 at 18:51
  • @Staleyr - you should secure every query you make to the database that has user input in it. – andrewsi Apr 03 '13 at 18:51
  • correct, so i don't need it when i'm pulling data from the db only when updating and inputing data, because you don't wear a seatbelt when you're sitting at a drive-in movie. – Staleyr Apr 03 '13 at 18:53
  • next time you start a php/mysql project start with using mysqli or pdo and prepared statements. don't wait till you almost done – Miguelo Apr 03 '13 at 18:53
  • 1
    if you're letting user data (including data YOU'RE providing) anywhere NEAR **ANY** sql statement, you have to prevent injection. you can quite easily inject yourself. – Marc B Apr 03 '13 at 18:54
  • @Staleyr - No. You need it whenever you're making a query that has user-entered data in it, be it a SELECT, INSERT, or UPDATE. – andrewsi Apr 03 '13 at 18:57
  • whoever marked this as a duplicate needs to learn to read a full question before answering... – Staleyr Apr 03 '13 at 19:13

4 Answers4

4

strip_slashes() is not what you want. You should be using prepared/parameterized queries which separate the data from the SQL, making it inherently safe from this problem.

Brad
  • 159,648
  • 54
  • 349
  • 530
3

Use PDO or mysqli with prepared statements.

000
  • 26,951
  • 10
  • 71
  • 101
3

There are so many other ways to inject using SQL. If you want a good example of this, here's one: /* in one field, */ in another. Everything in between will be commented on MySQL4 and MySQL5 without parametrization.

Switch to PDO/MySQLi and request true parametrization from the driver. This will force the driver to send the request without data first, and the data in another packet, thus forcing compliance, along with solving many, many headaches.

If this hasn't convinced you yet, try this link: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ .

Sébastien Renauld
  • 19,203
  • 2
  • 46
  • 66
1

Use PDO. Not "PDO or MySQLi", but PDO. It's the only reliable driver available (though offers insufficient protection).

If you want full protection, use SafeMysql

I'M NOT ASKING HOW TO PREVENT SQL INJECTION, I'M ASKING WHEN TO USE IT.

Good question.

  1. You don't need any protection or prevention.
  2. You have to format your queries properly. ALWAYS.
Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345